Optimizing DNS

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By William R. Stanek

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 16, Windows NT Administrator's Pocket Consultant.

This chapter discusses the techniques you'll use to set up and manage DNS (Domain Name Service) on a network. DNS is a name resolution service that resolves Internet host names to IP addresses. Using DNS, the fully qualified domain name www.tvpress.com, for example, could be resolved to an IP address, which enables computers within DNS domains to find one another. DNS is used with Winsock applications that operate over the TCP/IP protocol stack, such as ping, and can be integrated with WINS.

Understanding DNS

DNS organizes groups of computers into domains. Unlike Microsoft Windows NT domains, which have a flat structure, DNS domains are organized into a hierarchical structure. This structure is defined on an Internet-wide basis, and the different levels identify individual computers, organizational domains, and top-level domains. For the fully qualified host name www.tvpress.com, www represents the host name for an individual computer, tvpress is the organizational domain, and com is the top-level domain.

Root Domains and Parent Domains

Top-level domains are at the root of the DNS hierarchy and are therefore also called root domains. These domains are organized

Geographically, by using two-letter country codes, such as CA for Canada

By organization type, such as com for commercial organizations

By function, such as shop for online stores

Normal domains, such as tvpress.com, are also referred to as parent domains. They are called parent domains because they are the parents of an organizational structure. Parent domains can be divided into subdomains, which can be used for groups or departments within an organization. For example, the fully qualified domain name for a computer within a human resources group could be designated as jacob.hr.microsoft.com. Here, jacob is the host name, hr is the subdomain, and microsoft.com is the parent domain.

DNS and WINS

DNS domains are completely separate from Windows NT domains and are used to enable interactions with other DNS domains. If computers on the network don't need to access the Internet or other DNS domains, you don't need DNS. One of the key reasons to set up DNS on the network is to enable computers to access the Internet and to resolve host names properly when using Web browsers, Internet e-mail, or other Internet services. A local HOSTS file can also be used to resolve host names to IP addresses. You could use this file to enable name resolution on individual computers, but the HOSTS file has limited usefulness and is a poor way to manage DNS needs on the network.

DNS isn't the only name service available. You can also use WINS (Windows Internet Name Service). Within Windows NT 4.0 domains, WINS is the preferred name service. You'll use WINS to resolve NetBIOS computer names to IP addresses. For more information on WINS, see Chapter 15, "Managing WINS and NetBIOS Over TCP/IP."

The process of resolving fully qualified domain names is often referred to as a DNS lookup. When a network computer makes a request for a fully qualified domain name, a forward lookup is used to determine the IP address of the target computer. To ensure a valid response and deter spoofing (tricking users, often by making a transmission appear to come from an authorized source, into providing passwords and other information to allow unauthorized access to the network), the computer can use the IP address returned in the response to validate the host name. This process is called a reverse lookup.

Enabling DNS on the Network

To enable DNS on the network, you need to configure DNS clients and servers. When you configure DNS clients, you tell the clients the IP addresses of DNS servers on the network. Using this address, clients can communicate with DNS servers anywhere on the network, even if the servers are on different subnets. When the network uses DHCP, you should configure DHCP to work with DNS. To do this, you need to set the DHCP scope options for DNS servers as specified in the section of Chapter 14 titled "Setting Default DNS Servers for DHCP Clients."

Additionally, if computers on the network need to be accessible from other DNS domains, you need to create records for them in DNS. DNS records are organized into zones, where a zone is simply an area within a DNS domain.

Note: Configuring a DNS client is described in the section of Chapter 12 titled "Configuring DNS Resolution." Configuring a DNS server is described in the following section of this chapter.

Installing DNS Servers

Microsoft Windows NT servers can be configured as DNS servers. Three types of DNS servers are available:

Primary server The main DNS server for a domain. This server stores a master copy of DNS records and the domain's configuration files.

Secondary server A DNS server that provides backup services for the domain. Secondary servers obtain their DNS information from the primary server when they are started, and they maintain this information until the information is refreshed or expired.

Forwarding-only server A server that caches DNS information after lookups and always passes requests to other servers. These servers maintain DNS information until it is refreshed or expired or the server is restarted. Unlike secondary servers, forwarding-only servers don't request full copies of a zone's database files.

Before you configure a DNS server, you must install the Microsoft DNS Server service. Afterward, you can configure the server to provide primary, secondary, or forwarding-only DNS services.

Installing the Microsoft DNS Service

You can install the Microsoft DNS Server by doing the following:

Access the Services tab of the Network Control Panel utility and then click on the Add button.

Choose Microsoft DNS Server in the Select Network Service dialog box and then click OK.

Now you need the Windows NT distribution CD-ROM. When prompted, insert the disk and enter the path for the distribution files, such as e:\i386\. Afterward, click Continue.

When you close the Network utility, the DNS Server service is installed and you'll need to restart the computer.

From now on, Microsoft DNS Server service should start automatically each time you reboot the server. If the service isn't started, you'll need to start it manually with the Services utility in the Control Panel. Installing this service also installs Domain Name Service Manager, which you'll use to manage DNS on the network. You'll find this utility in the Administrative Tools (Common) folder.

Configuring a Primary Server

Every domain should have a primary DNS server. Once you install the Microsoft DNS Server service on the server, you can configure a primary server by completing the following steps:

Select Server List in the left window of DNS Manager and then choose the New Server option on the DNS menu.

Figure 16-1: The new DNS server is listed under the Server List in the Domain Name Service Manager dialog box.

Enter the name or IP address of the server you're configuring and then click OK. As shown in Figure 16-1, an entry for the new server should be added to the left window of DNS Manager.

Right-click on the server entry and then choose New Zone from the pop-up menu. This opens the dialog box shown in Figure 16-2.

Select the Primary radio button and then click Next.

Enter the full DNS name for the zone and then click in the Zone File field. A default name for the zone's DNS database file should be filled in for you. You can use this name or enter a new file name.

Click Next and then click Finish to complete the process. The new zone is added to the server. Basic DNS records for the zone are created automatically.

Figure 16-2: Configure a primary zone with the Create New Zone dialog box.

Note: The zone name should help determine how the server/zone fits into the DNS domain hierarchy. For example, if you're creating the primary server for the tvpress.com domain, you should enter tvpress.com as the zone name.

Reverse lookups are necessary to authenticate DNS requests. If you want to enable reverse DNS lookups for the domain, you should create reverse lookup files for all primary zones now. Follow the steps listed in the section of this chapter titled "Configuring Reverse Lookups."

You need to create additional records for any computers that should be accessible to other DNS domains. Follow the steps listed in the section of this chapter titled "Managing DNS Records."

Configuring a Secondary DNS Server

Secondary servers provide backup DNS services on the network. On a small-sized or medium-sized network, you may be able to use your Internet service provider's name servers as secondaries, and in this case you should contact your Internet service provider to configure secondary DNS services for you. If you want to set up your own secondaries for backup services and load balancing, follow these steps:

Select Server List in the left window of DNS Manager and then choose the New Server option on the DNS menu.

Enter the name or IP address of the server you're configuring and then click OK. As shown in Figure 16-1, an entry for the new server should be added to the left window of DNS Manager.

Right-click on the server entry and then choose New Zone from the pop-up menu.

As shown in Figure 16-3, on the following page, select the Secondary radio button and then specify the zone whose files should be copied to create the secondary. Do this by entering the name of an existing zone and its primary server in the Zone field and the Server field respectively. Alternatively, you can drag the hand icon from the dialog box to the zone you want to use in DNS Manager's main window.

When you're finished, click Next and then enter the full DNS name for the zone and its database file in the Zone Name and Zone File fields respectively. Note that you may need to overwrite any existing entries.

Click Next to proceed and then enter the IP addresses of one or more master servers for the zone. The secondary server obtains DNS information from the master servers that you specify in this step.

Click Next and then click Finish.

Configuring Reverse Lookups

Forward lookups are used to resolve domain names to IP addresses. Reverse lookups are used to resolve IP addresses to domain names. You define information for forward lookups through standard zone and

Figure 16-3: Configure a secondary zone using the Create New Zone dialog box.

Each segment on your network should have an in-addr.arpa database file. If present, the file must be in sync with the zone/domain database files for the network. If the files get out of sync, authentication may fail for the domain.

You create in-addr.arpa database files by doing the following:

In DNS Manager, right-click on the server entry.

Choose New Zone from the pop-up menu.

Select the Primary radio button and then click Next.

In the Zone Name field, enter the network or subnet portion of your IP address in reverse order followed by in-addr.arpa. For example, if you were on the 192.155.10 subnet, you would use 10.155.192.in-addr.arpa.

Note: If you have multiple subnets on the same network, such as 192.155.10 and 192.155.11, enter only the network portion for the file name. That is, you would use 155.192.in-addr.arpa and allow DNS Manager to create the necessary subnet database files when needed.

Click in the Zone File field. A default name for the zone's DNS database file should be filled in for you. You can use this name or enter a new file name.

Click Next and then click Finish.

Once you set up the in-addr.arpa zone files, you need to ensure that delegation for the zone is handled properly. Contact the Information Services department or your Internet service provider to ensure that the zones are registered with the parent domain.